On the security of public key cryptosystems with a double decryption mechanism

In public key encryption schemes with a double decryption mechanism (DD–PKE), decryption can be done in either of two ways: by the user owning the secret/public key pair corresponding to the ciphertext, or by a trusted party holding a sort of master secret-key. In this note we argue that the classical security notion for standard public key encryption schemes does not suffice for DD–PKE schemes, and propose a new natural definition. Additionally, we illustrate the usefulness of the new security definition by showing that a DD–PKE scheme presented in the workshop Selected Areas in Cryptography 2005 is insecure under this augmented security notion.